network external auth failure reason not set in access logs #18691
Description
Description:
I've configured network external auth to validate a TLS client certificate. It's working as expected, however when the extauthz validation fails, I'm not setting the failure reason in the normal access log or the ALS tcp log.
My log:
AuthorizationServerCheck error="no peer cert"
Access Log:
{
"downstream_peer_uri_san": null,
"duration": 4,
"flags_rx": "-",
"downstream_remote_address": "127.0.0.1",
"req_host": null,
"req_path": null,
"downstream_tls_cipher": "TLS_AES_256_GCM_SHA384",
"resp_duration": null,
"bytes_tx": 0,
"req_method": null,
"downstream_direct_remote_address": "127.0.0.1",
"req_duration": null,
"upstream_transport_failure_reason": null,
"downstream_local_address": "127.0.0.1:443",
"resp_code": 0,
"downstream_peer_subject": null,
"downstream_tls_session_id": null,
"resp_code_details": null,
"host": "...",
"downstream_tls_version": "TLSv1.3",
"req_server_name": "localhost",
"upstream_local_address": "127.0.0.1:61857",
"bytes_rx": 134,
"upstream_cluster": "test",
"ts": "2021-10-20T14:36:00.1634740560.155+0000",
"route_name": null,
"upstream_host": "127.0.0.1:8443",
"downstream_peer_issuer": null
}
ALS:
{
"common": {
"downstream-direct-remote-address": {
"socket-address": {
"address": "127.0.0.1",
"ipv4-compat": false,
"named-port": "",
"port-value": 62241,
"protocol": "TCP",
"resolver": ""
}
},
"downstream-local-address": {
"socket-address": {
"address": "127.0.0.1",
"ipv4-compat": false,
"named-port": "",
"port-value": 443,
"protocol": "TCP",
"resolver": ""
}
},
"downstream-remote-address": {
"socket-address": {
"address": "127.0.0.1",
"ipv4-compat": false,
"named-port": "",
"port-value": 62241,
"protocol": "TCP",
"resolver": ""
}
},
"response-flags": {},
"route-name": "",
"sample-rate": 0,
"start-time": "2021-10-20T15:00:23Z",
"tls": {
"cipher-suite": "TLS_AES_256_GCM_SHA384",
"local-certificate": {
"subject": "O=TEST"
},
"peer-certificate": {
"subject": ""
},
"session-id": "",
"sni": "localhost",
"version": "TLSv1_3"
},
"upstream-cluster": "test",
"upstream-local-address": {
"socket-address": {
"address": "127.0.0.1",
"ipv4-compat": false,
"named-port": "",
"port-value": 62242,
"protocol": "TCP",
"resolver": ""
}
},
"upstream-remote-address": {
"socket-address": {
"address": "127.0.0.1",
"ipv4-compat": false,
"named-port": "",
"port-value": 8443,
"protocol": "TCP",
"resolver": ""
}
},
"upstream-transport-failure-reason": ""
},
"connection": {
"received-bytes": 134,
"sent-bytes": 0
}
}
Listener Config Excerpt
{
"dynamic_listeners": [{
"name": "listener_443:0.0.0.0:443",
"active_state": {
"version_info": "1634700180450893000",
"listener": {
"@type": "type.googleapis.com/envoy.config.listener.v3.Listener",
"name": "listener_443:0.0.0.0:443",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 443
}
},
"filter_chains": [{
"filter_chain_match": {
"server_names": [
"localhost"
]
},
"filters": [{
"name": "envoy.filters.network.ext_authz",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.ext_authz.v3.ExtAuthz",
"stat_prefix": "network_authz",
"grpc_service": {
"envoy_grpc": {
"cluster_name": "extauthz"
},
"timeout": "10s"
},
"include_peer_certificate": true,
"transport_api_version": "V3"
}
},
{
"name": "envoy.filters.network.tcp_proxy",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"stat_prefix": "ingress_tcp",
"cluster": "test",
"access_log": [{
"name": "envoy.file_access_log",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog",
"path": "/dev/stdout",
"log_format": {
"json_format": {
"duration": "%DURATION%",
"req_server_name": "%REQUESTED_SERVER_NAME%",
"upstream_cluster": "%UPSTREAM_CLUSTER%",
"downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%",
"resp_duration": "%RESPONSE_DURATION%",
"bytes_tx": "%BYTES_SENT%",
"downstream_peer_uri_san": "%DOWNSTREAM_PEER_URI_SAN%",
"ts": "%START_TIME(%Y-%m-%dT%H:%M:%S.%s.%3f%z)%",
"req_method": "%REQ(:METHOD)%",
"req_path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
"req_duration": "%REQUEST_DURATION%",
"resp_code_details": "%RESPONSE_CODE_DETAILS%",
"downstream_direct_remote_address": "%DOWNSTREAM_DIRECT_REMOTE_ADDRESS_WITHOUT_PORT%",
"resp_code": "%RESPONSE_CODE%",
"bytes_rx": "%BYTES_RECEIVED%",
"upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%",
"upstream_transport_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%",
"downstream_peer_subject": "%DOWNSTREAM_PEER_SUBJECT%",
"host": "%HOSTNAME%",
"upstream_host": "%UPSTREAM_HOST%",
"req_host": "%REQ(:AUTHORITY)%",
"downstream_tls_session_id": "%DOWNSTREAM_TLS_SESSION_ID%",
"downstream_tls_version": "%DOWNSTREAM_TLS_VERSION%",
"downstream_remote_address": "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%",
"route_name": "%ROUTE_NAME%",
"downstream_peer_issuer": "%DOWNSTREAM_PEER_ISSUER%",
"downstream_tls_cipher": "%DOWNSTREAM_TLS_CIPHER%",
"flags_rx": "%RESPONSE_FLAGS%"
}
}
}
}]
}
}
],
"transport_socket": {
"name": "envoy.transport_sockets.tls",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext",
"common_tls_context": {
"tls_params": {
"tls_minimum_protocol_version": "TLSv1_2"
},
"tls_certificates": [{
"REDACTED": "REDACTED"
}],
"validation_context": {
"trust_chain_verification": "ACCEPT_UNTRUSTED"
},
"alpn_protocols": [
"h2",
"http/1.1"
]
}
}
},
"name": "tls_server_filter_chain"
}
],
"per_connection_buffer_limit_bytes": 32768,
"listener_filters": [{
"name": "envoy.filters.listener.tls_inspector"
}]
}
}
}]
}
Cluster Config Excerpt
{
"dynamic_active_clusters": [{
"cluster": {
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
"name": "extauthz",
"type": "STRICT_DNS",
"connect_timeout": "10s",
"per_connection_buffer_limit_bytes": 32768,
"lb_policy": "LEAST_REQUEST",
"circuit_breakers": {
"thresholds": [{}]
},
"dns_refresh_rate": "300s",
"dns_lookup_family": "V4_ONLY",
"outlier_detection": {},
"upstream_connection_options": {
"tcp_keepalive": {}
},
"load_assignment": {
"cluster_name": "extauthz",
"endpoints": [{
"lb_endpoints": [{
"endpoint": {
"address": {
"socket_address": {
"address": "127.0.0.1",
"port_value": 7001
}
}
},
}]
}]
},
"typed_extension_protocol_options": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"common_http_protocol_options": {
"headers_with_underscores_action": "REJECT_REQUEST"
},
"upstream_http_protocol_options": {},
"explicit_http_config": {
"http2_protocol_options": {
"max_concurrent_streams": 100,
"initial_stream_window_size": 65536,
"initial_connection_window_size": 1048576
}
}
}
},
"respect_dns_ttl": true
},
},
{
"cluster": {
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
"name": "test",
"type": "STRICT_DNS",
"connect_timeout": "10s",
"per_connection_buffer_limit_bytes": 32768,
"lb_policy": "LEAST_REQUEST",
"circuit_breakers": {
"thresholds": [{}]
},
"dns_refresh_rate": "300s",
"dns_lookup_family": "V4_ONLY",
"outlier_detection": {},
"transport_socket": {
"name": "envoy.transport_sockets.tls",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
"common_tls_context": {
"validation_context": {}
}
}
},
"upstream_connection_options": {
"tcp_keepalive": {}
},
"load_assignment": {
"cluster_name": "test",
"endpoints": [{
"lb_endpoints": [{
"endpoint": {
"address": {
"socket_address": {
"address": "127.0.0.1",
"port_value": 8443
}
}
},
"health_status": "HEALTHY",
}]
}]
},
"respect_dns_ttl": true
},
}
]
}